File name:

§a§lFurf§b§lSky §6§lReborn §8§lFULL.zip

Full analysis: https://app.any.run/tasks/a197d986-3fdb-45bb-a8ea-1d5b1d3df4f1
Verdict: Malicious activity
Analysis date: May 15, 2025, 22:03:07
OS: Ubuntu 22.04.2
MIME: application/zip
File info: Zip archive data, at least v2.0 to extract, compression method=store
MD5:

693F5A312CB357E523EF82D910F3D5FF

SHA1:

18043C3B7FF329329660CDDC48EEBB98FAE7BE88

SHA256:

D92CD0A84585B6BE7E874F89C29EC704BADE597DFF7C3C70AC4DB14F2530ED1B

SSDEEP:

98304:ixtdrwGLMOz8ZB0o4DtrdBo4zOcry7mCUW8BhRju8bsv7+pjLiynK1SU7c1nm3tI:eNuIMuKI

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    No malicious indicators.

  • SUSPICIOUS

    • Executes commands using command-line interpreter

      • sudo (PID: 40665)
      • chrome (PID: 40682)

    • Reads passwd file

      • file-roller (PID: 40666)

    • Reads profile file

      • file-roller (PID: 40666)

  • INFO

    • Checks timezone

      • file-roller (PID: 40666)
      • 7z (PID: 40681)
      • chrome (PID: 40682)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipRequiredVersion: 20
ZipBitFlag: -
ZipCompression: None
ZipModifyDate: 2025:01:06 06:03:54
ZipCRC: 0x00000000
ZipCompressedSize: -
ZipUncompressedSize: -
ZipFileName: assets/
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
321
Monitored processes
95
Malicious processes
0
Suspicious processes
0

Behavior graph

Click at the process to see the details
start dash no specs sudo no specs file-roller no specs locale-check no specs 7z no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs chrome_crashpad_handler no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome chrome no specs chrome no specs chrome no specs dash no specs dash no specs dash no specs dash no specs basename no specs dash no specs dash no specs readlink no specs dash no specs grep no specs cut no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs tr no specs dash no specs tr no specs mawk no specs cut no specs basename no specs dash no specs dash no specs readlink no specs dash no specs grep no specs cut no specs dash no specs dash no specs chrome no specs dash no specs dash no specs dash no specs dash no specs dash no specs dash no specs tr no specs dash no specs tr no specs mawk no specs cut no specs basename no specs dash no specs dash no specs readlink no specs grep no specs cut no specs dash no specs chrome no specs chrome no specs chrome no specs readlink no specs dirname no specs mkdir no specs cat no specs cat no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs chrome no specs tracker-extract-3 no specs

Process information

PID
CMD
Path
Indicators
Parent process
40664/bin/sh -c "DISPLAY=:0 sudo -iu user file-roller \"/tmp/§a§lFurf§b§lSky §6§lReborn §8§lFULL\.zip\" "/usr/bin/dashany-guest-agent
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40665sudo -iu user file-roller "/tmp/§a§lFurf§b§lSky §6§lReborn §8§lFULL\.zip"/usr/bin/sudodash
User:
root
Integrity Level:
UNKNOWN
Exit code:
0
40666file-roller "/tmp/§a§lFurf§b§lSky §6§lReborn §8§lFULL\.zip"/usr/bin/file-rollersudo
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40667/usr/bin/locale-check C.UTF-8/usr/bin/locale-checkfile-roller
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40681/usr/lib/p7zip/7z l -slt -bd -y -- "/tmp/§a§lFurf§b§lSky §6§lReborn §8§lFULL\.zip"/usr/lib/p7zip/7zfile-roller
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40682/usr/bin/google-chrome-stable/opt/google/chrome/chromegnome-shell
User:
user
Integrity Level:
UNKNOWN
40684readlink -f /usr/bin/google-chrome-stable/usr/bin/readlinkchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40685dirname /opt/google/chrome/google-chrome/usr/bin/dirnamechrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40686mkdir -p /home/user/.local/share/applications/usr/bin/mkdirchrome
User:
user
Integrity Level:
UNKNOWN
Exit code:
0
40687cat/usr/bin/catchrome
User:
user
Integrity Level:
UNKNOWN
Executable files
0
Suspicious files
198
Text files
11
Unknown types
0

Dropped files

PID
Process
Filename
Type
40682chrome/home/user/.config/google-chrome/ShaderCache/data_3binary
MD5:
SHA256:
40682chrome/home/user/.config/google-chrome/ShaderCache/data_2binary
MD5:
SHA256:
40682chrome/home/user/.config/google-chrome/ShaderCache/data_0binary
MD5:
SHA256:
40682chrome/home/user/.config/google-chrome/Default/GPUCache/data_3binary
MD5:
SHA256:
40682chrome/home/user/.config/google-chrome/Default/GPUCache/data_2binary
MD5:
SHA256:
40682chrome/home/user/.config/google-chrome/Default/GPUCache/data_0binary
MD5:
SHA256:
40725chrome/home/user/.cache/mesa_shader_cache/indexbinary
MD5:
SHA256:
40824chrome/home/user/.cache/mesa_shader_cache/indexbinary
MD5:
SHA256:
40848chrome/home/user/.cache/mesa_shader_cache/indexbinary
MD5:
SHA256:
40682chrome/home/user/.config/google-chrome/Default/Historybinary
MD5:
SHA256:
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
1
TCP/UDP connections
30
DNS requests
39
Threats
24

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
GET
204
185.125.190.97:80
http://connectivity-check.ubuntu.com/
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
185.125.190.97:80
connectivity-check.ubuntu.com
Canonical Group Limited
GB
whitelisted
484
avahi-daemon
224.0.0.251:5353
unknown
169.150.255.184:443
odrs.gnome.org
GB
whitelisted
185.125.188.59:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
185.125.188.57:443
api.snapcraft.io
Canonical Group Limited
GB
whitelisted
40731
chrome
142.250.185.234:443
safebrowsingohttpgateway.googleapis.com
GOOGLE
US
whitelisted
40731
chrome
142.250.185.99:443
clientservices.googleapis.com
GOOGLE
US
whitelisted
40731
chrome
40.114.177.156:443
duckduckgo.com
MICROSOFT-CORP-MSN-AS-BLOCK
NL
whitelisted
40731
chrome
173.194.76.84:443
accounts.google.com
GOOGLE
US
whitelisted
40731
chrome
142.250.186.138:443
safebrowsing.googleapis.com
GOOGLE
US
whitelisted

DNS requests

Domain
IP
Reputation
connectivity-check.ubuntu.com
  • 185.125.190.97
  • 185.125.190.96
  • 185.125.190.98
  • 91.189.91.98
  • 91.189.91.96
  • 185.125.190.18
  • 91.189.91.49
  • 91.189.91.48
  • 185.125.190.48
  • 185.125.190.17
  • 185.125.190.49
  • 2620:2d:4000:1::97
  • 2001:67c:1562::23
  • 2620:2d:4002:1::196
  • 2620:2d:4000:1::96
  • 2620:2d:4000:1::23
  • 2001:67c:1562::24
  • 2620:2d:4000:1::2a
  • 2620:2d:4000:1::2b
  • 2620:2d:4000:1::98
  • 2620:2d:4000:1::22
  • 2620:2d:4002:1::198
whitelisted
odrs.gnome.org
  • 169.150.255.184
  • 195.181.175.40
  • 169.150.255.180
  • 207.211.211.26
  • 195.181.170.18
  • 37.19.194.80
  • 212.102.56.178
  • 2a02:6ea0:c700::21
  • 2a02:6ea0:c700::19
  • 2a02:6ea0:c700::11
  • 2a02:6ea0:c700::101
  • 2a02:6ea0:c700::18
  • 2a02:6ea0:c700::112
  • 2a02:6ea0:c700::107
whitelisted
google.com
  • 142.250.186.142
  • 2a00:1450:4001:82a::200e
whitelisted
api.snapcraft.io
  • 185.125.188.59
  • 185.125.188.54
  • 185.125.188.58
  • 185.125.188.57
  • 2620:2d:4000:1010::42
  • 2620:2d:4000:1010::344
  • 2620:2d:4000:1010::2e6
  • 2620:2d:4000:1010::117
whitelisted
6.100.168.192.in-addr.arpa
unknown
safebrowsingohttpgateway.googleapis.com
  • 142.250.185.234
  • 172.217.23.106
  • 142.250.185.74
  • 142.250.185.106
  • 172.217.16.202
  • 142.250.185.170
  • 142.250.185.202
  • 142.250.185.138
  • 142.250.186.74
  • 216.58.212.138
  • 216.58.206.42
  • 142.250.74.202
  • 142.250.186.42
  • 142.250.186.106
  • 172.217.18.106
  • 142.250.181.234
whitelisted
clientservices.googleapis.com
  • 142.250.185.99
whitelisted
duckduckgo.com
  • 40.114.177.156
whitelisted
accounts.google.com
  • 173.194.76.84
whitelisted
safebrowsing.googleapis.com
  • 142.250.186.138
whitelisted

Threats

PID
Process
Class
Message
40731
chrome
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
40731
chrome
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
40731
chrome
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
40731
chrome
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
40731
chrome
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
40731
chrome
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
40731
chrome
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
40731
chrome
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
40731
chrome
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
40731
chrome
Generic Protocol Command Decode
SURICATA QUIC failed decrypt
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
§a§lFurf§b§lSky §6§lReborn §8§lFULL.zip